Skip to content
This repository has been archived by the owner on Mar 7, 2018. It is now read-only.

set auth_token to a generated UUID if AUTH_TOKEN not passed in ENV #247

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

set auth_token to a generated UUID if AUTH_TOKEN not passed in ENV #247

wants to merge 2 commits into from

Conversation

grahamb
Copy link

@grahamb grahamb commented Oct 10, 2013

Fixes issue #191. If an AUTH_TOKEN ENV variable is not present, uses SecureRandom.uuid to generate a UUID to use as the token.

AUTH_TOKEN='foobarbaz' dashing startsettings.auth_token == 'foobarbaz'
dashing startsettings.auth_token == 'some-random-uuid-string'

grahamb and others added 2 commits October 10, 2013 11:14
`require 'SecureRandom'` works on my OS X dev machine, but not on my linux deploy box. `require 'securerandom'` works on both.
@pseudomuto
Copy link
Contributor

@grahamb would this create a new token each time the app ran if you didn't set the env var? If so, that could be annoying for people during development and could cause integration issues in production.

I really like the environment variable bit though!

Maybe we should:

  • remove the 'YOUR_AUTH_TOKEN' default and use ENV['AUTH_TOKEN'] in templates/project/config.ru
  • update Dashing::CLI#start to raise an error/warning if the environment variable is not set

@pushmatrix what are your thoughts?

@kmayer
Copy link

kmayer commented Mar 4, 2014

use ENV.fetch('AUTH_TOKEN') in config.ru; it will raise an error. Or add a proc with a better default.


configure do
set :auth_token, 'YOUR_AUTH_TOKEN'
set :auth_token, ENV['AUTH_TOKEN'] || SecureRandom.uuid
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ENV.fetch('AUTH_TOKEN') { SecureRandom.uuid }

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are subtle differences...

@y = 0
def y
  @y += 1
end
Example X is unset X is anything X is nil unset, second call
`ENV["X"] y` 1 {anything}
ENV.fetch("X") { y } 1 {anything} nil 2
ENV.fetch("X", y) 1 {anything} nil 1

@terraboops
Copy link
Contributor

I like this PR and the approach taken. Many people don't know how to use the auth token and this leaves their Dashing instances vulnerable to exploits. This PR would make them secure by default (random token).

I do however prefer @kmayer's syntax but no need to open a block: ENV.fetch('AUTH_TOKEN', SecureRandom.uuid). This is definitely a matter of personal preference though, as ENV['UNKOWN_KEY'] || true will return true just as surely as ENV.fetch('UNKOWN_KEY',true) will.

That being said, @pseudomuto brings up a good point: that this would be a (small, but) breaking change. Not sure how to resolve that.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants